08-09-2019 02:28 PM - edited 02-21-2020 09:23 AM
I have setup a syslog alert, I enabled syslog at the access control policy and I enabled each rule for syslog but I am not getting any data at the syslog server. Is there somewhere else I need to go to get this to work?
I am using FMC VM 6.3 and ASA FirePowerSensors with latest software.
Thanks,
Diego
08-09-2019 07:51 PM
08-10-2019 06:20 AM
I don't have syslog option in platform settings. That might apply to FTD and I am using legacy FirePower services on ASA.
08-10-2019 09:02 PM - edited 08-10-2019 09:03 PM
Syslog direct from the sensor is an FTD feature introduced in 6.3:
Previously, you configured event logging via syslog in multiple places, depending on the event type. In Version 6.3.0, you now configure syslog messaging in the access control policy. These configurations affect connection and intrusion event logging for the access control, SSL, prefilter, and intrusion policies, as well as for Security Intelligence.
For FTD devices, some syslog platform settings now apply to connection and intrusion event messages. For a list, see the "Platform Settings for Firepower Threat Defense" chapter in the Firepower Management Center Configuration Guide.
Otherwise the FMC will be the source of the syslog events. Can you share your FMC syslog settings?
08-11-2019 08:37 AM
After checking my syslog server again I am now seeing messages from both of my sensors and also the FMC. The messages are coming from the individual IPs of each device. I thought they would start immediately after the policy was pushed down but I guess maybe the takes some time before the devices start sending out data? Or maybe my syslog server (ManageEngine ELA) takes a while to show the data? Anyhow, looks good now.
Thanks all,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide